sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

DevABDee - `XOracle.putPrice()` Can Fall Victim to Front-running Attacks: Attackers Can Make Quick Profits, while Users Can Avoid Loss and even Turn the Potential Loss into Profits. #105

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

DevABDee

high

XOracle.putPrice() Can Fall Victim to Front-running Attacks: Attackers Can Make Quick Profits, while Users Can Avoid Loss and even Turn the Potential Loss into Profits.

Summary

XOracle.putPrice() (& updatePrices()), which sets and updates the price of the supported tokens, especially EMC tokens. However, this functionality can be vulnerable to exploitation by attackers and malicious users.

Vulnerability Detail

Proof-of-concept

Attackers Can Make Quick Profits:

An attacker can create a very large profit using Flahloans.

Furthermore, Malicious users can prevent losses and even turn the potential loss into profits:

Impact

Attackers have the ability to make quick profits, while users can prevent losses and even turn the potential loss into profits

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/d5328421bea80e3b0fd4595e4eb6b732a40e421e/Unitas-Protocol/src/XOracle.sol#L26

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/d5328421bea80e3b0fd4595e4eb6b732a40e421e/Unitas-Protocol/src/XOracle.sol#L34

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/d5328421bea80e3b0fd4595e4eb6b732a40e421e/Unitas-Protocol/src/Unitas.sol#L208

Tool used

Shaheen's Vision

Recommendation

To ensure the security of price updates, it is advised to implement the following measures:

Additional Note:

Regarding the putPrice(), the protocol wrote this in the contest page's already known issues section:

When users are performing a swap, if they encounter an Oracle price update within the same block, they may exchange at a different price than originally expected. Our Oracle price feeder does not have a fixed update time, but the chances of encountering this situation are very low. We plan to implement checks in phase 2 to address this. Risk: very low.

I believe the protocol may have overlooked the potential attack vector associated with the issue from an attacker's perspective. This vulnerability can be exploited by malicious users and attackers, resulting in substantial profits. Bots, in particular, can take advantage of this loophole and ruthlessly capitalize on the situation. Therefore, it is essential to prioritize the mitigation of this issue during the current phase of development. Thanks

Duplicate of #67